Takeaway: If youwant to provide remote access to your network for traveling users, youdon’t have to spend a lot of money on a dedicated VPN server. If you’vealready got a Cisco IOS router, all you have to do is make the changesdescribed in this article.
As Cisco routers have about 85% of the router market, mostbusinesses today have a Cisco router connecting them to the Internet. So, whynot use that router for more than just routing? What if it could be a VPNserver to connect roaming users with laptops or home PC’s back into yourbusiness network? This article will explain to you how to do just that.
A router as a VPN Server?!
Your first objection to using a Cisco router as a VPN servermight be that you don’t want to have to install the Cisco VPN client softwareon all the remote PC’s. Every Windows PC comes with a VPN client already, soyou, like me, probably want to just use that. By using the already installedclient, you save on the time it would take to train users to download andconfigure a different VPN client. Thus, you will use the built-in Microsoft VPNclient to connect to our VPN server.
Author’s note
The configuration on your existing Internet router may becomplex. This download can’t address all the possible configurations you mayalready have in place.
By the way, for your IOS router to act as a VPN server, atall, you will need the DES or 3DES versions of the IOS. These are the versionsthat offer encryption, including the PPTP encryption we are using in theconfigurations below. The DES or 3DES versions will have a k8 or k9 in thefilename of the IOS. These features must be licensed from Cisco and are notfree, unless you already own that version of the IOS.
For the purposes of this demonstration, we will be using aCisco 2610 router as a basic PPTP VPN server. We will be demonstrating thisusing a local username/password database. The functionality is included to havethe Cisco router go to a RADIUS server (like Microsoft IAS server) andauthenticate with Windows Active Directory (AD) usernames/passwords. That typeof configuration would be ideal with any more than a handful of VPN users.However, that configuration is more complex than this entry-level document willcover. For more information is, Cisco has published a document that coversusing a Cisco IOS router with a MS IAS server for VPN.
Configuring the router
The biggest question you may have after reviewing thisconfiguration is- how does this fit in with your firewall? Well, you can use aCisco router as a firewall to with something called CBAC (Context-based access control). This isalso known as the Firewall Feature-set and you need a special version of theIOS to do this.
The following configuration shows, step by step, how to configure the Cisco IOSrouter as a MS PPTP VPN server. The goal of this configuration is so that youcan take all the defaults of the VPN client in Windows XP. All you will have todo is add a new connection, provide the name (or IP address) of the VPN server,and your username/password. Figure A shows your network will look like, in theend
On the Cisco IOS router
First you must make some changes on your router. First,you must enable VPDN (virtual private dial-up networking). This is usedfor VPN client connectivity, as opposed to site-to-site, always up, VPNconnectivity. To do so use this command:
Router(config)# vpdnenableCreate a VPDN group configured to PPTP, just like theMicrosoft VPN client will use, by default:
Router(config)# vpdn-group TEST-VPN
Router(config-vpdn)# accept-dialin
Router(config-vpdn)# protocol pptp
Router(config-vpdn)# virtual-template 1
Router(config-vpdn)# exit
Here, we will configure our interfaces to match the diagram.Naturally, your IP address configuration will vary:
Router(config)# interface ethernet0/0
Router(config-if)# ipaddress 10.253.15.19 255.255.0.0
Router(config-if)# noshutdown
Router(config)# interface ethernet0/1
Router(config-if)# ipaddress 10.123.123.123 255.255.255.0
Router(config-if)# noshutdown
Next, create your virtual-template that will apply to theinbound VPN connections. This template references the e0/1 interface for its IPaddress. It also references a pool of IP addresses that will be handed out toVPN clients. Finally, it configures thePPP encryption and authentication mechanisms to match what the Microsoft VPNclient defaults to:
Router(config)# interface Virtual-Template1
Router(config-if)# ip unnumbered Ethernet0/1
Router(config-if)# peer default ip address pool defaultpool
Router(config-if)# ppp encrypt mppe auto required
Router(config-if)# ppp authentication ms-chap ms-chap-v2
Now, create the pool of IP addresses. This pool should notalready be in use on the internal network you are connecting to:
Router(config)# iplocal pool defaultpool 10.123.123.1 10.123.123.10
After that, create a test user:
Router(config)# username test password 0 test
Finally, configure authentication for PPP to use the localdatabase. If you had a RADIUS server, this where you would point to the RADIUSserver instead of the local database:
Router(config)# aaanew-model
Router(config)# aaaauthentication ppp default local
The complete configuration looks like this:
username test password0 test
aaa new-model
!
!
aaa authentication pppdefault local
!
vpdn enable
!
vpdn-group TEST-VPN
! Default PPTP VPDNgroup
!
interface Ethernet0/0
ip address 10.253.15.19255.255.0.0
no shutdown
interface Ethernet0/1
!
interfaceVirtual-Template1
!
ip local pooldefaultpool 10.123.123.1 10.123.123.10
Windows client
To connect to the new PPTPVPN server from a Windows workstation, click Start | Control Panel | NetworkConnections. Click on New Connection Wizard. Click Next on thewelcome screen. Select Connect to anetwork at my workplace as shown in Figure B.
Next, select VirtualPrivate Network Connection as shown in Figure C.
You’ll then see theConnection Name screen. Type in a name for the VPN Connection in the CompanyName field as shown in Figure D. Click Next to continue.
Figure D
Next, the VPN ServerSelection screen appears. Type in the IP address or hostname for the VPN server(your IOS router’s interface) into the Host name field. In our case, this is10.253.15.19 as you can see in Figure E.
Figure E
Take the default on thenext screen (that this is for anyone’s use) and click Next. Click Finishon the next screen. When done, you will see the screen shown in Figure F below.Type in your test username (test) and test password (test).
Figure F
Click Connect.
Once connected, you shouldsee the VPN icon in your Windows tray, at the bottom right of your screen. Ifyou open the VPN connection and click on details, you should see that youreceived an IP address from the pool, as seen in Figure G.
You should be able to pingthe LAN side of the router (the inside, private network) and any host on thatnetwork.
That’s it!
The configuration iscomplete. Hopefully, you can take this configuration and fit it to your network,blending it with your personal Firewall, NAT, and active directoryconfiguration.
Tidak ada komentar:
Posting Komentar